Trust your OpenID Provider?

April 4, 2007 in OpenID by Carsten Pötter | View Comments

Today I have stumbled across two blogs argueing heavily against OpenID. Ralf Bendrath says it sucked, while deltalima2 has even started a campaign against it (it’s in German, though). Both argue that OpenID providers could start profiling users because they were the ones who knew which sites users visited (=logged in with their OpenID).

I can’t really prove them wrong in that aspect; it’s a problem the OpenID community should address, I think. On the other hand I have to confide in a lot of people and companies if I want to use the internet: email providers, isp’s, search engines, various services and websites I am registered with,… Actually I think a simple Google search for my name will reveal more information than an OpenID provider will ever gain. Google will know all the sites I have signed up with my OpenID, plus those that don’t require one: various comments on blogs, forum posts,…

It’s not the best argument in favour of OpenID, I know. Maybe someone with more knowledge about OpenID has a better one? Leave a comment, please.

Tags: , , ,

  • Carsten Pötter
    I am sure there will be competition between IdP's. Some IdP's even have similar solutions to phishing as PassPack has.

    While OpenID is still not perfect I'm confident that all major problems will be solved someday because the OpenID community is aware of them and doesn't deny them; some of them are even mentioned in the specs.
  • Cartes,
    You're abolsutely right.

    Right now a bunch of services are popping up around OpenID, which is great news. But it's up to these services to build security layers on top of OpenID. OpenID alone isn't enough.

    So yes, there will be (fierce) competition between IdP’s. At least I hope so. Because OpenID has major security issues, phishing being the biggest, and it's up to the IdP's to solve those issues.

    It'll be fun to watch how things start to shape up in the coming months.

    Cheers,
    Tara
  • Thanks for listing us at magnolia :-)

    Maybe you didn't know about us because we started the service
    only recently on April 4th, 2007.

    Cheers
    Boris
  • Carsten Pötter
    Boris, first I just edited the link you provided for your comment on deltalima2's blog. Hope, that's ok.

    Although big companies like AOL are adopting it, OpenID is still pretty unknown to most people. Also development of the specs is still in progress. So I am sure that there will be some more improvements on the security site of things (e.g. phishing) in the future. I actually think that users will register with those providers who will provide the best service in terms of security. There will be competition between IdP's.

    I didn't know about Xlogon before. Good to know that there is another provider in Germany. :)

    Carsten
  • As we ourselves just started an OpenID Provider in Germany (because at tht time we decided to do so, could not find a provider for our customers who would legally protect them), I am fairly familiar with the implementation details.

    And yes, as a provider you just have to have "knowledge" at least about which identity (URL) has a relationship with which consumer site. Without this you lose any of the benefits. In fact you would render the whole thing unusable.

    But on the other hand, that's it. And of course a matter trust.
    You don't have to provide any other data.

    So, go and look for providers, that just don't track anything. (We ourselves are not even technically prepared to. And since we don't collect that data, we just cannot evaluate them.) Look into their Terms and if that promise is written down there. In Germany customers are protected by such terms, the German TMG and DDSG.

    Maybe you'll even find some, who implemented some other features to make users a little bit less visible.

    In the meantime I can only second you in saying, that google will most probably know more about you at any time than your IdP ever will.

    I just commented on that at
    deltalima2

    Boris
blog comments powered by Disqus

Page optimized by WP Minify WordPress Plugin